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James Cleverly Information Commissioner's Office 
Secretary of State for the Home Department 
The Home Office 
Peel Building 
2 Marsham Street 
London SW1iP 4DF 


28 February 2024 


Dear Secretary of State for the Home Department 
Re: Warning to the Home Office 
Background 


1. The ICO has been engaging with the Home Office since 11 August 2022 
in respect of the Satellite Tracking Services GPS Expansion Pilot (the 
Pilot”). The Pilot involved electronic monitoring as an immigration 
bail condition of data subjects who arrived in the UK via unnecessary 
and dangerous routes who had claims suitable for consideration under 
the detained asylum casework (DAC) process ("Electronic 
Monitoring”) 


2. Following careful consideration of all the information provided during 
that engagement, the Information Commissioner (the 
"Commissioner”) provisionally found that the Home Office had failed 
and was failing to comply with Articles 35 and 5(2) of the UK General 
Data Protection Regulation (UK GDPR) in relation to the Pilot (the 
“Infringements”). 


3. Accordingly, on 19 December 2023 the ICO issued to the Home Office: 


e a preliminary enforcement notice pursuant to Section 149(2)(a) and 
(c) of the Data Protection Act 2018 (DPA) in respect of the Alleged 
Infringements (the "PEN"); and 


e "A notification of intention to issue a Warning to the Home Office" 
regarding the Home Office's compliance with UK GDPR in relation to 
the Pilot. 


4. On 31 January 2024 the Home Office provided the ICO with its 
representations on both the PEN and the Notice of Intent to issue a 
Warning (the "Representations"). 
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5. The Commissioner has considered the Representations and 
has today issued an Enforcement Notice (the "EN") together with the 
warning pursuant to Article 58(2)(a) UK GDPR, set out in this letter. 


Warning 


6. The Commissioner's view is that if in the future the Home Office 
processes personal data for Electronic Monitoring (the "Future 
Processing") using the same or similar documents to the Pilot DPIA 
and documentation , that Future Processing is likely to infringe 
provisions of the UK GDPR (the “Warning’”). 


7. The "Pilot DPIA and documentation" are: 


e GPS Expansion Satellite Tracking Service (STS) Data Protection 
Impact Assessment Version Draft 2.3 (provided to the ICO on 13 
October 2023); 

e "Immigration Bail Conditions: Electronic monitoring (EM) expansion 
pilot" version 1. This guidance was updated and published as version 
2 on 23 June 2023. This document states that it must be read in 
conjunction with the Immigration Bail guidance, the most recent 
version of this document is Version 16.0 published on 8 August 2023; 

e STS Privacy Information Notice GPS Expansion Pilot Cases (provided 
to the Commissioner on 13 October 2023); and 

e Home Office EM Internal Data Request Form and the Data Access 
Request Guidance (provided to the Commissioner on 6 January 
2023), the Process Control Document Process Data Requests v0.8SM 
and the Process data requests v0.10 (provided to the Commissioner 
on 1 September 2023). 


8. The reasons for the Commissioner's view are set out below. 


9. For the avoidance of doubt, please note that the Warning relates only 
to the application of data protection law to the Future Processing. 


The Commissioner's Powers 
10. Article 58(2) UK GDPR sets out the Commissioner's corrective powers. 


Pursuant to Article 58(2)(a) UK GDPR the Commissioner has the 
power: 
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to issue warnings to a controller or processor that intended 
processing operations are likely to infringe provisions of this 


Regulation". 


11. There is no statutory requirement to give notice of intention to issue a 
Warning. However, the Commissioner elected to give notice on a 
discretionary basis on this occasion for the purposes of: 


* encouraging the Home Office to enter early and meaningful 
engagement with the ICO regarding the Future Processing; and 


e affording the Home Office the opportunity to make representations 
regarding the measures it has, or will, put in place to ensure that the 
Future Processing is fully compliant with the UK GDPR. 


Conclusions regarding the nature, scope and purpose of the 
intended processing operations 


12. Based on his understanding of the Pilot, the Commissioner anticipates 
that: 


e the Future Processing would include processing of the following 
categories of personal data: name, date of birth, nationality, 
photograph, offending history, any vulnerabilities identified; a record 
of the data subject's latitudinal and longitudinal location taken at 
regular intervals whilst the electronic device is operational together 
with a corresponding time stamp for each location record ("Trail 
Data"); and a record of any notifications sent by the electronic 
monitoring device alerting that immigration bail conditions are 
breached; 


* the Future Processing may include processing of special category 
personal data such as: information concerning racial or ethnic origin 
and health; and information concerning health, political opinions, 
religious or philosophical beliefs, and sexual orientation, if Trail Data 
is processed alongside information about the places the data subject 
visits. For example, a map showing the use of buildings and/or the 
names and locations of organisations; 


* the nature and purpose of the Future Processing would include (but 
may not be limited to) some or all of the following: retrieval, 
consultation and disclosure of personal data for the purpose of 
making and recording a decision to grant immigration bail subject to 
an electronic monitoring condition; collection, recording, retrieval, 


8 
ICO. 
consultation, use and disclosure of personal data for the — veer 
purpose of fitting or otherwise providing an electronic 
monitoring device and maintaining that device; automated collection, 
recording and storage of Trail Data; retrieval, consultation, use, and 
disclosure of Trail Data for the purpose of responding to access 
requests made by or on behalf of, the Home Office, the data subject, 
or a third party such as a law enforcement agency; and the retrieval 
and erasure of personal data including Trail Data on expiry of a 
standard 6 year retention period; and 


* the Future Processing would include processing of personal data of 
the following categories of data subjects: individuals subject to 
Electronic Monitoring. 


Indications of the Home Office's intent to proceed with the Future 
Processing 


13. In deciding to issue this Warning, the Commissioner has noted the 
views expressed by the Home Office regarding the desire to reduce the 
number of individuals subject to immigration detention whilst 
controlling the rates of absconding and the lack of available options 
identified to meet these objectives. The Home Office position is 
summarised in the Draft DPIA V2.3 which states: 


"Ideally the Home Office would like to have very few in detention, but 
the current control method of regular reporting is proven not to work 
and absconding rates are high. The Home Office has a public duty to 
reduce these rates. To date no other options have been identified as 
available to control rates of absconding. The Home Office has 
evaluated options available to it to try and reduce the rates of 
absconding without the need for detention. GPS tagging is a solution 
already in use and is proposed as an alternative to deprivation of 
liberty. The specific use of tagging for those arriving by unnecessary 
and dangerous routes has not been tested before hence the need for 
a pilot with a relatively small (but representative) number of 
individuals to test its viability. The hypothesis is that tagging 
individuals will reduce the rate of absconding." 


14. Engagement between the ICO and the Home Office has been ongoing 
since early in the Pilot. The Home Office has given no indication either 
during this engagement nor in its Representations that there has been 
any change to the policy objectives as expressed above, or that any 
new options have been identified to control rates of absconding. From 
its Representations, it is clear that whilst there are no immediate plans, 
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Home Office has not ruled out Electronic Monitoring and 
Future Processing. 


Conclusions regarding potential infringements of UK GDPR 


15. In the EN the Commissioner has concluded that the Home Office has 
failed and is failing to comply with Articles 35 and 5(2) of the UK 
General Data Protection Regulation (UK GDPR) in relation to the Pilot 
DPIA and documentation. 


16. The Commissioner considers that if the Home Office proceeds with the 
Future Processing, using the same or similar documents to the Pilot 
DPIA and documentation, then the processing of personal data 
(including special category personal data) involved is likely to infringe 
some or all of the UK GDPR provisions as detailed below. 


Infringement of Article 5(1)(a) UK GDPR - lawful processing 


17. For processing undertaken in connection with the Pilot, the Home 
Office is relying on Article 6(1)(e) UK GDPR and, in respect of special 
category personal data, on Article 9(2)(g) UK GDPR together with 
schedule 1 paragraph 6 DPA (the "Specified Grounds"). The 
Commissioner anticipates that the Home Office will also seek to rely 
on the Specified Grounds in relation to the Future Processing, which 
the Commissioner anticipates will be substantially the same as that 
undertaken in connection with the Pilot. 


18. To rely on the Specified Grounds the Home Office must establish that 
each processing activity undertaken for the purpose of the Future 
Processing is necessary and proportionate for the performance of its 
identified public task or function, being the exercise of its powers under 
Schedule 10 of the Immigration Act 2016. The Home Office will be 
unable to rely on the Specified Grounds in respect of any processing 
activities that do not meet the test of necessity and proportionality. 


19. To the extent that neither the Specified Grounds nor any alternative 
lawful bases and conditions of processing apply, the Home Office would 
be infringing the requirement of lawful processing under Article 5(1)(a) 
UK GDPR. Personal data must only be processed where one of the 
lawful bases under Article 6 UK GDPR applies. If the processing 
includes special category personal data, a condition under Article 9 UK 
GDPR and, where applicable, under Schedule 1 DPA, must also apply. 


e 
ICO. 
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Future Processing activities meet the test of necessity and 
proportionality, as required by the accountability principle in Article 
5(2) UK GDPR, which provides that a data controller "shall be 
responsible for and be able to demonstrate compliance with the 
requirements of Article 5(1) UK GDPR”. As noted in the EN, the Home 
Office has not sufficiently demonstrated compliance with the 
requirements of Article 5(1)(a) UK GDPR in respect of processing 
undertaken for the purposes of the Pilot. If this was not effectively 
demonstrated for any Future Processing the Home Office would be 
infringing Article 5(2) UK GDPR. 


21. The ICO's guidance! makes it clear that lawfulness under Article 
5(1)(a) UK GDPR "also means that you don't do anything with the 
personal data which is unlawful in a more general sense. This includes 
statute and common law obligations, whether criminal or civil". The 
guidance provides examples of relevant legislation, including the 
Human Rights Act (“HRA”). Were a court to judge that the Home Office 
had imposed an electronic tagging condition on an individual in breach 
of the HRA, any processing of that individual's personal data by the 
Home Office associated with the electronic tagging condition would 
also be in breach of the Article 5(1)(a) UK GDPR requirement of 
lawfulness. 


Infringement of article 5(1)(a) UK GDPR - fair processing 


22. Article 5(1)(a) UK GDPR includes a broad requirement that processing 
of personal data must be fair. To the extent that the Home Office fails 
to meet the requirement to process personal data lawfully (as detailed 
at paragraphs 17 - 21 above) and transparently (as detailed at 
paragraphs 23-25 below), or the Future Processing otherwise has an 
unjustified adverse effect on a data subject due to their particular 
circumstances or vulnerabilities, the Commissioner anticipates that the 
Home Office would also infringe the fairness requirement set out at 
Article 5(1)(a) UK GDPR. 


Infringement of article 5(1)(a) UK GDPR - transparent processing 
23. Article 5(1)(a) UK GDPR requires controllers to be transparent about 
their processing of personal data. A list of specific information that 


controllers must provide to data subjects at the time that their 
personal data is obtained is set out in Article 13 UK GDPR. Pursuant to 


! Principle (a): Lawfulness, fairness and transparency | ICO 
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Article 12(1) UK GDPR the information listed in Article 13 UK — ^ 
GDPR must be provided in a "concise, transparent, intelligible 


and easily accessible form, using clear and plain language...”. 


24. The EN details the Commissioner's concerns regarding the privacy 
information provided to data subjects whose personal data was 
processed for the purpose of the Pilot. 


25. Ifthe privacy information provided by the Home Office to data subjects 
whose personal data is processed for the purpose of the Future 
Processing is the same or substantially the same as that provided for 
the purpose of the Pilot, the Commissioner anticipates that the Home 
Office would be failing to meet the transparency requirement as set 
out in Article 5(1)(a) and as more specifically detailed in Articles 12 
and 13 UK GDPR. 


Infringement of article 5(1)(c) UK GDPR - data minimisation 


26. Article 5(1)(c) UK GDPR sets out the requirement of data minimisation 
which specifically includes a requirement that personal data be "limited 
to what is necessary in relation to the purposes for which they are 
processed". 


27. The EN sets out the Commissioner's concerns regarding access to 
potentially excessive and irrelevant trail data collected during the Pilot 
without proper regard to the principle of data minimisation. 


28. If Trail Data generated from Future Processing is retained and accessed 
for the same purposes, and in accordance with the same processes 
and guidance, as applied to trail data generated during the Pilot, the 
Commissioner anticipates that Article 5(1)(c) UK GDPR would be 
infringed. 


Infringement of Article 25 UK GDPR - data protection by design and 
by default 


29. Article 25 UK GDPR sets out the requirement for data protection by 
design and by default. 


30. The requirement for data protection by design is set out in Article 25(1) 
UK GDPR: 


"Taking into account the state of the art, the cost of implementation 
and the nature, scope, context and purposes of processing as well as 
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the risks of varying likelihood and severity for rights and — 
freedoms of natural persons posed by the processing, the 
controller shall, both at the time of the determination of the means 
for processing and at the time of the processing itself, implement 
appropriate technical and organisational measures, such as 
pseudonymisation, which are designed to implement data-protection 
principles, such as data minimisation, in an effective manner and to 
integrate the necessary safeguards into the processing in order to 
meet the requirements of this Regulation and protect the rights of 
data subjects". 


31. The requirement for data protection by default is set out in Article 
25(2) UK GDPR: 


"The controller shall implement appropriate technical and 
organisational measures for ensuring that, by default, only personal 
data which are necessary for each specific purpose of the processing 
are processed. That obligation applies to the amount of personal data 
collected, the extent of their processing, the period of their storage 
and their accessibility. In particular, such measures shall ensure that 
by default personal data are not made accessible without the 
individual's intervention to an indefinite number of natural persons". 


32. The Home Office should complete a data protection impact assessment 
to identify and reduce the data protection risks posed by the Future 
Processing and to assist it in meeting the requirement of data 
protection by design and by default. 


33. The Commissioner has identified numerous concerns regarding the 
Home Office's approach to processing for the purpose of the Pilot, 
including in relation to the DPIA and guidance documentation, which 
are detailed throughout the EN. If the Home Office fails to properly 
consider and address those concerns raised the Commissioner 
anticipates that the Home Office would be likely to infringe Article 25 
UK GDPR in relation to the Future Processing. 


Infringement of Article 5(2) UK GDPR - accountability 


34. Article 5(2) UK GDPR sets out the accountability principle, which 
provides that a data controller "shall be responsible for and be able to 
demonstrate compliance with "the requirements of Article 5(1) UK 
GDPR”. This imposes a dual requirement: firstly, to be responsible for 
compliance; and secondly, to be able to demonstrate compliance. 


© 
1CO. 
35. Paragraphs 16-33 above detail specific provisions of the UK" 
GDPR that the Commissioner considers likely to be infringed 
in connection with the Future Processing. The Home Office must ensure 
that it takes appropriate steps to both comply with those provisions 
along with its other obligations as a controller under the UK GDPR and 
to demonstrate how it has achieved compliance. 


36. Completing a full and detailed data protection impact assessment in 
accordance with the requirements of Article 35 UK GDPR, creating 
appropriate privacy information notices, and developing and 
documenting appropriate procedures and associated guidance will all 
assist the Home Office in meeting the accountability requirement. 


37. The Home Office should carefully review the EN. The Commissioner 
anticipates that the Future Processing will be the same, or substantially 
the same, as the processing undertaken for the Pilot. If the Home 
Office fails to take appropriate steps to address the findings in the EN, 
it would be likely to infringe Article 5(2) when undertaking the same, 
or substantially the same, processing activities as part of the Future 
Processing. 


Action requested: 


38. Please bring this Warning to the attention of relevant colleagues at the 
Home Office. 


39. Please be aware that a data controller’s failure to take into account a 
relevant Warning is a potential aggravating factor which may be taken 
into account when the Commissioner is considering exercising his 
other corrective powers in relation to an infringement of the UK GDPR.? 
If the Home Office decides to undertake the Future Processing without 
having appropriately addressed the issues raised in this Warning, its 
failure to take account of the Warning could increase the likelihood of 
formal enforcement action being taken in relation to any infringements 
of the UK GDPR arising from those processing operations. 


Yours sincerely, 


John Edwards 


Information Commissioner 


?3 ICO Regulatory Action Policy, p. 11. 


Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
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Information Commissioner’s Office 


